FORENSIC IT, INC.Corporate Training and Support

Practical Network Analysis

1

Corporate TRAINING and Support

Practical Network Analysis

Forensic IT, Inc.500 N. Broadway • Suite 1650

St. Louis, MO 63102Phone 877-IT-DEBUG

ii

Copyright 2012 Forensic IT, Inc.

All rights reserved. This document is printed in the United States of America. This publication is protected by copyright, and permission must be obtained from the owner, Forensic IT, Inc. prior to any reproduction, storage in retrieval system, duplication, or transmission in any form or by any means, electronic, mechanical, photo-copying, recording, or likewise.

It is unlawful to use any portion of this manual without written consent of Forensic IT, Inc.

If you wish to contact Forensic IT, Inc. with regards to this material, write to:

Forensic IT, Inc. 500 N. Broadway Suite 1650St. Louis, MO 63102

Or

Forensic IT, Inc.57 E. Southcrest CircleEdwardsville, IL 62025

Table of Contents

Network Analysis – A Proposal..................................................1Who Should Take This Course........................................................2Pre-Requisites.................................................................................2

Course Objectives......................................................................3Network Packets – The Missing Data........................................5

Non-Verbal Communication.............................................................5Networks Are Similar to Human Communication.............................5

Helpful Visualizations.................................................................7Why Analyze a Network Trace?.................................................9

No Packets!....................................................................................10Some Packets!...............................................................................10A Real World Scenario...................................................................11

Client Server Architectures......................................................13Same Computer.............................................................................13Connected to Hub..........................................................................14Connected to Layer 2 Switch.........................................................15Multiple Layer 2 Switches..............................................................16Layer 3 Switch...............................................................................19Routing Switch and Access Layer Switches..................................20Route/Access Switches Same VLAN.............................................21Route/Access Switches Different VLANs.......................................22Across Firewalls.............................................................................23

Trace Combinations.................................................................25One-Sided......................................................................................25Two-Sided......................................................................................26Man-In-The-Middle.........................................................................27

Rules of a Trace Warrior..........................................................33Different Network Analyzers....................................................35WireShark Download/Installation.............................................37

Installation......................................................................................37Launch...........................................................................................37

Basic Wire Capture..................................................................39Anatomy of a Capture....................................................................42

Seven Layer OSI Reference Model.....................................48TCP/IP (or DoD) Reference Model......................................49Trace Content & Objects.....................................................50

Wireless Capture...........................................................................51Common Network Packets......................................................53

ARP – Local LAN...........................................................................54ARP – Remote LAN to LAN...........................................................55

Filtering....................................................................................63Capture Filters...............................................................................63Display Filtering.............................................................................63

Filter Expression Dialog......................................................64Manual Filter Entry..............................................................68Complex Filter Combinations and Boolean Logic...............70IP.ADDR, IP.DST, and IP.SRC...........................................71Right-Click Filtering.............................................................73Apply As Column.................................................................78Set Time Reference Uses...................................................85

Useful Menu Items...................................................................85Statistics.........................................................................................85

Summary.............................................................................85Protocol Hierarchy...............................................................87Conversations.....................................................................89Endpoints............................................................................91Flow Graph..........................................................................92

Exporting Data/Objects............................................................95SSL Certs.......................................................................................95Export Excel, Word, and Text Files................................................96Export HTML and Image Files.....................................................103

List of Lab Exercises..............................................................105List of Figures........................................................................107

P U R P O S E O F N E T W O R K A N A L Y S I S

Network Analysis – A ProposalUnderstanding the content of the information flowing in a corporate network is key for successful analysis, security, and planning.

o say that you understand your network design and understand the conversations taking place, without ever tapping into the wire and observing the actual traffic is like watching the Olympics on television versus being

there in person. Sure, you get the highlights and see what “others” have told you are important events. You watch what they want you to watch, see interviews and ceremonies that they want you to see and miss out on what the Olympics are truly about. You don’t get to see the non-television moments, both struggles and triumphs, of all the athletes, coaches, and parents.

TI would much rather be at the Olympics than looking at a network trace, but you see the point.

Information flows in the network and participates in almost every aspect of business. It cannot get from device A to device B unless it travels over the wire or through the air unless someone types it in manually or sneaker-nets the information.

The Proposal

At Forensic IT, we have turned tools such as network analyzers into common everyday debugging tools. We recognize that you cannot understand behavior without them. If you accept our word that understanding how to tap into and see the information in your business network is a key benefit that accelerates you to the head of your support group, we will do our best to show you how to make that happen. .

Think of a network analyzer like an oscilloscope. An oscilloscope is a great tool if you know how to use it, when to use it and what the data means. If you don’t know those things, an oscilloscope is an expensive tool that makes pretty pictures!

The analyzer is no different. There are countless stories of network engineers, support persons, and even developers who say, “get me a network trace”, and then they are baffled by what is inside. They “know” the answer “is” inside the trace; they are just limited in their ability to read it.

1

P U R P O S E O F N E T W O R K A N A L Y S I S

Practical Network Analysis is not a network engineering course. It will not teach you all you need to know about configuring routers and switches. It does not focus on network design. Its focus is the use of a network analyzer to extract and read data on the network so that anytime a problem exists that involves the communication between two devices; the participants in this course have the confidence and understanding to effectively apply the network analyzer to their issue.

There is a significant amount of network engineering knowledge that will be covered, primarily to help understand the network trace.

Who Should Take This CourseParticipants should be involved in 3rd-level support groups or developer organizations. Participants should be familiar with other networking concepts such as IP addresses, subnet masks, etc.

Pre-RequisitesParticipants should first complete Diagnostic Tools for IT Professionals which builds the network and protocol background needed for understanding the data presented in this course.

2

Course ObjectivesDuring this course, you will learn the following:

Why network trace analysis should be a core staple in

any support group

Where and how to gather network traces across various

architectures to assist in issue analysis

How to use Wireshark, a network trace analysis tool

How to quickly sift through large traces by using filters

How to extract objects from trace data

How to view a network trace as an ordered set of data

that provides a clear view of how applications and

their associated devices communicate with each other,

following standard rules and behaviors

3

Network Packets – The Missing DataScientists are constantly looking for new data to help explain science that is right under their noses. A geneticist spends his career trying to determine who and why yeast activates at a specific temperature. Other scientists try to understand the origin of the universe or species by examining data.

Likewise, in IT, somewhere, deep in the back rooms of an organization, after normal working hours, sits a support person, eating stale pizza, wishing they had a shower and a tooth brush, searching for the missing data that will help explain why their clients get slow screen updates from one server and cannot see data from the other server at all.

The phone rings.

It is their supervisor (at the baseball game, calling during the 7th

inning stretch because he has to give an update to upper management) asking “what have you found out?”

The support person responds with some unintelligible techno-jargon that will be passed to upper management in an attempt to hide the fact that the support person has found out exactly nothing.

Why has nothing significant been found? The support person has examined the application, the log files, the error logs, everything and cannot see anything. A reboot or two is in the future the way this situation is going. A reboot might not be bad; the situation may be recovered, but what has been learned? What data can be used to help understand “why” the problem existed in the first place?

A better “why” would be, why hasn’t the support person looked at the very medium that connects the clients to the server? Why hasn’t the support person examined the data on that medium and worked to understand it?

Non-Verbal CommunicationThis situation is no different than two people in a room that are communicating. Certain non-verbal gestures convey lots of meaning and may be all that is needed for some conversations. In fact, over 80% of the communication between two persons is non-verbal. If there are no words spoken, then you cannot say

W H Y ?

A B E T T E R W H Y

4

you understand 100% of what is trying to be said. The two people in a room can communicate 80% of what is trying to be said without talking. This may be enough. In an argument, body language and gestures may be used to get the point across and no words need to happen. If however, you are trying to communicate something really important like “cut the blue wire with the yellow stripe, not the yellow wire with the blue stripe”, then you better hope you can communicate in a better way than just gesturing.

Networks Are Similar to Human CommunicationJust because two people have a need to speak and are in the same room doesn’t mean they can communicate. Even if both are talking, it doesn’t mean that they can understand each other.

There are great network tools on computers that help you understand the overall health of the network. You can see and validate the configurations. You can test basic health and connectivity. You can remove almost any obstacle that would prevent two processes on two different computers from actually communicating, but you cannot actually see that communication. You can speculate. You can guess. Without examining the data over the medium, you cannot say for sure what is actually being communicated.

Without examining the data on the medium, you are essentially getting the non-verbal communication.

The missing data in the conversation means everything when you are truly trying to understand what is being communicated. In a network, the missing data are the packets that traverse the medium connecting the client to the server.

You can ensure that the two computers involved in the conversation are up, connected to the network, properly configured, and running the software that is supposed to do the communication. You can ensure that both computers can see each other using standard network commands like PING or TRACERT. You can do all of this and still not be able to explain why they cannot communicate.

The packet data on the network medium are like the words in the conversation.

5

Pages 7 to 52 removed

6

Common Network PacketsOk, we discussed packets, models, and the fact that everything is in the trace—everything.

This is good and bad. Because everything is in the trace, we also have to deal with lots of additional packets that are necessary, but clog our trace. These packets help find devices, find services, respond to events, and help route or deliver data across the network.

One of these items that we see all the time is an ARP packet or Address Resolution Protocol packet.

This ARP packet is the core of how MAC and IP address work together to deliver a packet from a source to a destination. It is used to “learn the physical address, i.e., MAC, of an IP address”. Once we understand ARPs, we can determine when to study them and when to filter them out of our trace to help better see the conversations of interest.

Question: If ARPs can easily be filtered out, should I just create a capture filter that excludes them?

In short, no. These are important to have at your disposal in any trace in the event you have to understand how a packet was routed or maybe why it wasn’t routed. We will show how to filter them in and out of the trace.

When an administrator configures a network device such as a computer or server, only the following three items are usually configured:

An IP address to uniquely define the computer on the network

A subnet mask which places the device into a specific subnet

A default gateway which is the IP address of the nearest router to that device in the network.

In the basic capture looked at previously, we could see MAC addresses in every packet and IP addresses in several, but not all, packets.

Basic Device Configuration

Layer 2 & Layer 3 & ARP

7

Why the discrepancy? The answer has to do with how packets are delivered on the network.

Well, every network card has a MAC address physically burned into it during the manufacturing process (some are programmable, but for the sake of discussion, think of them as permanent, burned in addresses).

ARP – Local LANExamine simple network diagram in Figure 1. What do you suppose happens when WS1 wants to communicate with SRV1? All subnet masks are 255.255.255.0.

Question: Does the router (a.k.a, default gateway) see any packets from WS1 when WS1 starts to communicate with SRV1?

Figure 1 - Simple Network

When WS1 at IP address 10.78.1.1 wants to send data to SRV1 at 10.78.1.20, the following exchange happens.

1. WS1 determines the IP address of SRV1 (via DNS).

2. WS1 examines the IP address of SRV1 and compares it to its own IP address and subnet mask. WS1 concludes that SRV1 and WS1 are on the same network. This process is called “anding”.

3. If WS1 found that SRV1 was on a different network, it would perform an ARP broadcast for the MAC address that

ARP – Local LAN

8

corresponds to the configured default gateway IP address. However, since they are in the same network, it performs a local LAN broadcast for the IP address of SRV1.

a. The local LAN broadcast address is 10.78.1.255 (assuming a subnet mask of 255.255.255.0).

4. The ARP broadcast is delivered to ALL devices (computers, other switches, routers, etc) connected to Switch 1(the switch that WS1 is connected to) except the Source device WS1.

See Figure 2 - Local LAN ARP. This shows that every device that is connected to the same switch as WS1 receives the ARP. The packet will look very much like the one from our lab earlier (Error: Reference source notfound).

Figure 2 - Local LAN ARP

5. Only SRV1 responds with its MAC address. On the way back through Switch 1, Switch 1 records the MAC address for SRV1 in its MAC address table.

6. The data for the packet is built and then WS1 builds the Ethernet II frame and places its MAC address in the packet as the Source and SRV1’s MAC address as the destination. It then sends the frame to Switch 1 (the device to which ALL outbound traffic from WS1 goes).

7. Switch 1 receives the frame, reads the destination MAC address from the Ethernet II portion of the packet,

Router Sees Packet

9

examines it’s MAC address table to identify the switch port that SRV1 is connected to and then switches the frame to SRV1. The keyword here is “switches”.

Key Points of Local LAN ARP

The key points to understand about the Local LAN ARP shown in Figure 2 are:

When an ARP broadcast hits a switch, it will switch the ARP packet down every port on the switch including routers or other switches.

When the switch, Switch 1, learns a MAC address, it adds it to its internal MAC address table.

ARP – Remote LAN to LANSuppose that WS1 wants to send data to SRV2 as shown in Figure 3. We know from our network diagram that SRV2 is in a different network (LAN) and to get there, we have to go through Switch 1, the Router, and Switch 2. We will examine how WS1 learns the MAC address of SRV2.

Question: Can a packet be sent on Ethernet II without a source and destination MAC address? If yes, what does a switch or router do with it?

Figure 3 - Remote LAN Data Transmission

ARP – Remote LAN

10

When WS1 at IP address 10.78.1.1 wants to send data to SRV2 at 10.78.2.20, the following exchange happens.

1. WS1 determines the IP address of SRV2 (via DNS).

2. WS1 examines the IP address of SRV2 and compares it to its own IP address and subnet mask via the “anding” process. WS1 concludes that SRV2 and WS1 are on different networks.

3. Since SRV2 is determined to be on a different network, WS1 needs to send the packet to its default gateway. Since the only path for an outbound packet from WS1 to SRV2 is initially through Switch 1 and to the Router, WS1 MUST obtain a suitable MAC address to send the packet to. It cannot leave WS1 without a destination MAC.

Question: Does it broadcast to 10.78.255.255?

4. In order to “switch” a packet from one port to another (the core function of a switch), a switch MUST have a MAC address of a device associated with one of its ports. That is how a switch works, by MAC address and not IP.

Since Switch 1 MUST have a MAC address of a device attached to one of its ports, logic tells us that it has to get the MAC address of the router interface it is connected to.

WS1 does an ARP broadcast for the IP address of its default gateway, i.e., the router.

Note, routers have multiple interfaces; Switch 1 is connected to an interface and Switch 2 is connected to a different interface.

5. All devices connected to Switch 1 receive the ARP broadcast but only the default gateway responds with its MAC address.

A Switch MUST have a MAC Address

11

Figure 4 - ARP Broadcast for Default Gateway

6. The significant changes from the Local LAN ARP are that WS1 does not ask who has the IP for SRV2 (10.78.2.20); rather, it asks how to reach its default gateway. This is the only choice since Switch 1 has to have a port-to-MAC relationship in order to switch the frame down a port.

When WS1 builds the packet, it uses the MAC address of the 10.78.1.254 router interface as the Destination MAC for the Ethernet II protocol. On the way back from the Router through Switch 1 to WS1, Switch 1 records the MAC of the router interface in its MAC address table.

7. WS1 sends the packet; Switch 1 looks at its MAC address table and switches the packet to the port connecting the 10.78.1.254 router interface.

8. The Router examines its routing table to see if it has a route to the network to which SRV2 belongs (it determines the network from the IP address contained in Layer 3 of the packet. Remember, switches use Layer 2 and Routers use Layer 3.

If the Router does not have a route for the SRV2 network, it checks to see if it has a default route. If it does have a default route and no route for the SRV2 network, it will send the packet to its default route interface.

If there is no default route configured in the Router and it does not have a route for the SRV2 network, it will drop

12

the packet and send a destination unreachable message back to WS1.

In this case, the SRV2 network does have a route configured in the routing table, therefore, the Router will perform and ARP broadcast in the network to which SRV2 belongs.

Figure 5 - ARP Broadcast from Router Interface

9. In Figure 5, the Router sends an ARP broadcast, IP address=10.78.2.255 from 10.78.2.254 asking who has IP address 10.78.2.20. This ARP broadcast hits Switch 2 which sends this ARP to every port (except the incoming port from the Router). SRV2 answers the ARP with its MAC address.

10. The Router places the MAC address of SRV2 in the Ethernet II header of the packet and sends the packet to Switch 2.

11. Switch 2 (which recorded the MAC address for SRV2 in its MAC table) identifies the switch port to which SRV2 is connected and switches the frame to that port to reach SRV2.

Now that ARP broadcasts are understood, the million dollar question is:

13

Question: When do you filter ARP broadcasts from your trace and when do you leave them in?

Discuss the question with your peers before reading below.

Answer: If you are trying to determine which route a packet took from Source to Destination, leave the ARPs in. If you are troubleshooting an unreachable device, leave the ARPs in. If you know in your trace that your Source IP is talking with your Destination IP and you are dissecting the conversation, take them out.

Lab 1 - Remove ARPs from Trace

Purpose:

Demonstrate the simple protocol filtering syntax used by WireShark to remove a protocol from a trace and put it back in.

Lab Steps:

1. Open the trace GenericTrace1.pcap from the course content (or any other trace you used for Error: Referencesource not found).

2. Scroll in the Packet List pane and select Frame 11.

3. Using the Filter, enter “!arp” without the quotes and click Apply.

Figure 6 - Remove ARP with Filter

4. Notice how Frame 11 and any other frame that contained an ARP has disappeared.

LAB – Remove ARPs from Trace

14

Figure 7 - Missing Frame from ARP Filter

5. Examine Figure 7 and notice that in column 1 of the Packet List, frame 11 is missing along with 16 through 18. They are missing because of the filter.

6. Press the Clear button on the Filter toolbar and notice the ARPs are back.

7. The basic protocol syntax is [ ! ] protocol where “!” means NOT and protocol is a recognized protocol name. Example to remove all HTTP traffic, enter “!http”.

8. Now that the ARP traffic is back, enter just “arp” in the filter toolbar without the quotes and hit Apply. Notice that now the only traffic you see is ARP traffic.

Protocol Filter Syntax

15

Figure 8 - ARP Filter

9. Press Clear.

16

Pages 63 through 103 removed

17

List of Lab ExercisesLab 1 – Examine Generic Capture..............................................................................44Lab 2 - Test WireShark FCS Dissection.....................................................................45Lab 3 - Address Resolution Protocol (ARP)..............................................................46Lab 4 - Remove ARPs from Trace...............................................................................59Lab 5 - Add Delta Time Column and Filter...............................................................65Lab 6 - Manual Filter Entry.........................................................................................68Lab 7 - Complex Filter Combination..........................................................................71Lab 8- Right-Click Filtering........................................................................................76Lab 9 - Apply as Column..............................................................................................79Lab 10 - Calculate Times via Packet Marking..........................................................81Lab 11 - Object Export.................................................................................................96Lab 12 - Export HTML and Image Files..................................................................103

18

19

List of FiguresFigure 1 - Generic Client/Server Application....................................................................9Figure 2 - Client/Server Same Computer........................................................................13Figure 3 - Client/Server Hub Connection........................................................................14Figure 4 - Network Capture with Hub.............................................................................14Figure 5 - Client/Server Layer 2 Switch Connection.......................................................15Figure 6 - Switch with Port Mirroring.............................................................................16Figure 7 - Client/Server Multiple Layer 2 Switches........................................................17Figure 8 - Client/Server Multiple Switches/Clients.........................................................17Figure 9 - Multiple Switches and Port Mirroring............................................................18Figure 10 - Client/Server Layer 3 Switch Connection.....................................................20Figure 11 - Client/Server Routing Switch and Access Layer Switches...........................20Figure 12 - Client/Server Route/Access Switches Same VLAN.......................................21Figure 13 - LAN Separation.............................................................................................21Figure 14 - Client/Server Route/Access Switches Different VLANs................................23Figure 15 - Client/Server Across Firewalls......................................................................23Figure 16 - One-Sided Trace...........................................................................................25Figure 17 - One Side Trace Port Mirror..........................................................................25Figure 18 - Two-Sided Trace...........................................................................................26Figure 19 - Two Sided Trace Port Mirror........................................................................27Figure 20 - Man-in-Middle Scenario Trace 1...................................................................27Figure 21 - Man-in-Middle Scenario Trace 2...................................................................28Figure 22 - Man-in-Middle Failure Summary..................................................................30Figure 23 - Man-in-Middle Detail View...........................................................................30Figure 24 - Man-in-Middle Trace 3..................................................................................31Figure 25 - Man-in-Middle Bad NIC................................................................................32Figure 26 - WireShark Initial Window.............................................................................37Figure 27 - ipconfig /all...................................................................................................39Figure 28 – Menu Capture-->Interfaces..........................................................................40Figure 29 - Capture Interfaces........................................................................................40Figure 30 - Basic Capture Data.......................................................................................41Figure 31 - Basic Capture Window Details......................................................................41Figure 32 – Generic Trace 1 Frame 1 Packet Summary..................................................42Figure 33 - Generic Trace Frame 1 Packet Details.........................................................42Figure 34 - Generic Trace Frame 1 Expanded Layer 1...................................................43Figure 35 - Generic Trace 1 Highlight Packet Bytes.......................................................43Figure 36 - Ethernet II Frame Format............................................................................43Figure 37 - Ethernet II Frame with Data.........................................................................44Figure 38 - Applied 7-Layer OSI Model...........................................................................47Figure 39 - OSI 7-Layer Reference Model.......................................................................48Figure 40 - OSI 7-Layer Grouped Model.........................................................................49Figure 41 - TCP/IP or DoD Reference Model...................................................................49Figure 42 - Simple Network............................................................................................54Figure 43 - Local LAN ARP..............................................................................................55Figure 44 - Remote LAN Data Transmission...................................................................56Figure 45 - ARP Broadcast for Default Gateway.............................................................57Figure 46 - ARP Broadcast from Router Interface..........................................................58Figure 47 - Remove ARP with Filter................................................................................59Figure 48 - Missing Frame from ARP Filter....................................................................60Figure 49 - ARP Filter......................................................................................................61Figure 50 - Filter Toolbar................................................................................................64Figure 51 - Expression Dialog.........................................................................................65Figure 52 - Right Click Packet List Header.....................................................................66Figure 53 - Column Preferences Dialog..........................................................................66Figure 54 – Delta Time....................................................................................................67Figure 55 - Expression Dialog IPv4 Filter.......................................................................67Figure 56 - Unapplied Filter............................................................................................68Figure 57 - Improper Filter Syntax Color Cue.................................................................69Figure 58 - Invalid Display Filter Error Dialog................................................................69Figure 59 - Correct Filter Syntax Color Cue...................................................................69Figure 60 - Boolean Logic Error......................................................................................70Figure 61 - Boolean Logic Correction.............................................................................70Figure 62 - Out of Order Boolean Logic..........................................................................72

20

Figure 63 - Proper Multi-IP Filter....................................................................................72Figure 64 - Proper Filter with Logic Operators and Grouping........................................72Figure 65 - Complex Filter with Negation.......................................................................72Figure 66 - Incorrect Protocol Case................................................................................73Figure 67 - Interesting Packet.........................................................................................73Figure 68 - Expanded IPv4 Tree Node............................................................................74Figure 69 - Right Click Filter from Packet Details..........................................................74Figure 70 - Filter Using ip.src.........................................................................................75Figure 71 - Prepare a Filter.............................................................................................75Figure 72 - Filter Selection Logic....................................................................................76Figure 73 - Right Click Protocol Expansion.....................................................................76Figure 74 - Select ENIP Protocol.....................................................................................77Figure 75 - ENIP Filter....................................................................................................77Figure 76 - Correct ENIP and ip.addr Filter...................................................................77Figure 77 - ENIP Sequence Number...............................................................................78Figure 78 - ENIP Sequence Filter Incorrect....................................................................78Figure 79 - ENIP Sequence Filter Corrected..................................................................78Figure 80 - Lab Filter......................................................................................................79Figure 81 - Right Click Apply as Column.........................................................................80Figure 82 - Added Column Sequence Number................................................................80Figure 83 - Go To Packet.................................................................................................81Figure 84 - Break in ENIP Sequence Number.................................................................81Figure 85- Manually Calculate Time Delta......................................................................82Figure 86 - Change Time Display Format........................................................................83Figure 87 - Set Time Reference (toggle).........................................................................84Figure 88 - Time Format Warning...................................................................................84Figure 89 - Statistics Summary.......................................................................................86Figure 90 - Statistics Protocols (filtered)........................................................................87Figure 91 - Statistics Protocols (unfiltered)....................................................................88Figure 92 - Statistics Conversations................................................................................89Figure 93 - Conversation List Trace Filter......................................................................90Figure 94 - Statistics TCP Endpoints...............................................................................91Figure 95 - Statistics Limit to Display Filter...................................................................91Figure 96 - Flow Graph Selection....................................................................................92Figure 97 - Statistics Flow Graph....................................................................................93Figure 98 - SSL Certification Configuration....................................................................95Figure 99 - Export Objects SMB......................................................................................96Figure 100 - SMB File List..............................................................................................97Figure 101 - Save Object As............................................................................................98Figure 102 - Windows Explorer File Export....................................................................98Figure 103 - Word Document From Trace.......................................................................99Figure 104 - Excel Document from Trace......................................................................100Figure 105 - Notepad File from Trace...........................................................................100Figure 106 - SMB Read Response.................................................................................101Figure 107 - TCP Reassembly of File Data....................................................................101Figure 108 - Export Selected Packet Bytes...................................................................102Figure 109 - Export Raw Data.......................................................................................102Figure 110 - Rename Raw File to Docx.........................................................................103Figure 111 - Export Objects HTTP................................................................................104Figure 112 - HTTP Object List.......................................................................................104

21